Hi,
I tried to configure a Cisco ASA 5505 (named “AnyConnect”) as a VPN-Gateway for AnyConnect. The ASA has an inside (192.168.1.0/24) and an outside (172.16.1.0/24) interface. In the inside network is a CA server (named “ciscoca”) running on a Cisco IOS router and directly connected to the ASA. In the outside network is a Cisco Access-Point.
Now I want to connect with a mobile device via the access point to the ASA to establish a VPN tunnel. Therefore, I have two different tunnel-groups. One group called “SCEP” is for the authentication with a simple password so that you can connect and start a request for a certificate via the SCEP protocol to the CA server. The other one (“certauth”) is for authentication with the requested certificate.
I tested the environment above in two different ways:
First, I tried to connect with a pc. On the computer is an AnyConnect Client installed. When I connect with the SCEP tunnel-group, it shows the following:
[Fri Aug 03 13:47:28 2012] Ready to connect.
[Fri Aug 03 13:48:07 2012] Contacting 172.16.1.1.
[Fri Aug 03 13:48:18 2012] No valid certificates available for authentication.
[Fri Aug 03 13:48:18 2012] Please enter your username and password.
[Fri Aug 03 13:48:22 2012] Establishing VPN session...
[Fri Aug 03 13:48:23 2012] Checking for profile updates...
[Fri Aug 03 13:48:25 2012] Downloading AnyConnect VPN Profile - 100%
[Fri Aug 03 13:48:25 2012] Checking for product updates...
[Fri Aug 03 13:48:25 2012] Checking for customization updates...
[Fri Aug 03 13:48:25 2012] Performing any required updates...
[Fri Aug 03 13:48:26 2012] Establishing VPN session...
[Fri Aug 03 13:48:26 2012] Establishing VPN - Initiating connection...
[Fri Aug 03 13:48:26 2012] Establishing VPN - Examining system...
[Fri Aug 03 13:48:26 2012] Establishing VPN - Activating VPN adapter...
[Fri Aug 03 13:48:26 2012] Establishing VPN - Configuring system...
[Fri Aug 03 13:48:27 2012] Establishing VPN...
[Fri Aug 03 13:48:27 2012] Connected to 172.16.1.1.
[Fri Aug 03 13:48:32 2012] Certificate Enrollment - Initiating, Please Wait.
[Fri Aug 03 13:48:32 2012] Certificate Enrollment - Request forwarded.
[Fri Aug 03 13:48:32 2012] Certificate Enrollment - Request forwarded.
[Fri Aug 03 13:48:34 2012] Certificate Enrollment - Storing Certificate.
[Fri Aug 03 13:48:34 2012] Certificate Enrollment - Certificate successfully imported.
[Fri Aug 03 13:48:34 2012] Disconnect in progress, please wait...
[Fri Aug 03 13:48:35 2012] Ready to connect.
[Fri Aug 03 13:48:35 2012] Ready to connect.
[Fri Aug 03 13:48:38 2012] Contacting AnyConnect.
[Fri Aug 03 13:48:45 2012] Please enter your username and password.
[Fri Aug 03 13:48:48 2012] Contacting AnyConnect.
[Fri Aug 03 13:48:53 2012] Your client certificate will be used for authentication
[Fri Aug 03 13:48:55 2012] Establishing VPN session...
[Fri Aug 03 13:48:55 2012] Checking for profile updates...
[Fri Aug 03 13:48:55 2012] Checking for product updates...
[Fri Aug 03 13:48:55 2012] Checking for customization updates...
[Fri Aug 03 13:48:55 2012] Performing any required updates...
[Fri Aug 03 13:48:55 2012] Establishing VPN session...
[Fri Aug 03 13:48:55 2012] Establishing VPN - Initiating connection...
[Fri Aug 03 13:48:55 2012] Establishing VPN - Examining system...
[Fri Aug 03 13:48:55 2012] Establishing VPN - Activating VPN adapter...
[Fri Aug 03 13:48:56 2012] Establishing VPN - Configuring system...
[Fri Aug 03 13:48:56 2012] Establishing VPN...
[Fri Aug 03 13:48:56 2012] Connected to AnyConnect.
As you can see, it works very well. The second test was with different mobile devices (tried out a Lenovo tablet with Android, an iPad and a Samsung Smartphone). All of them connected with the SCEP tunnel group and established a connection to the ASA. Then the certificate enrollment should start. However, nothing happened. They were all still connected and no devices get a certificate from the CA. I searched for a solution but was not able to find anything. I have no idea what the problem could be because there were no problems while testing with a computer but with a mobile device, it always fails, although I have a mobile license on the ASA.
I hope that somebody can help me. Here is the configuration of the ASA:
------------------ show running-config ------------------
: Saved
:
ASA Version 8.4(4)1
!
hostname AnyConnect
domain-name <removed>
enable password <removed>
passwd <removed>
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name vpntest.vrnet
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_26
subnet 192.168.2.0 255.255.255.192
object network Scep
range 192.168.2.1 192.168.2.50
description VPNSSLProfile
object network inside
subnet 192.168.1.0 255.255.255.0
description inside network
access-list inside extended permit ip any any
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list outside extended permit ip any any
access-list scep remark ASA
access-list scep standard permit 172.16.1.0 255.255.255.0
access-list split remark CA Server
access-list split standard permit host 192.168.1.2
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging buffer-size 64000
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.2.1-192.168.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.0_26 NETWORK_OBJ_192.168.2.0_26 no-proxy-arp route-lookup
nat (any,any) source static Scep Scep description SCEP
nat (any,any) source static Scep Scep destination static Scep Scep description SCEP hosts
nat (any,any) source static inside inside destination static Scep Scep
access-group inside in interface inside
access-group outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint ciscoca
enrollment retry period 3
enrollment retry count 5
enrollment url http://192.168.1.2:80
serial-number
crl configure
crypto ca server
shutdown
subject-name-default CN=AnyConnect.vpntest.vrnet
crypto ca certificate chain ciscoca
certificate 18
<removed>
quit
certificate ca 07
<removed>
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 inside
ssh 172.16.1.0 255.255.255.0 outside
ssh timeout 60
ssh version 1
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server 192.168.1.2
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1 des-sha1 null-sha1 rc4-md5
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-3.0.5075-k9.pkg 1
anyconnect profiles VPNTest disk0:/vpntest.xml
anyconnect profiles sceptest disk0:/sceptest.xml
anyconnect enable
tunnel-group-list enable
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
default-domain value <removed>
address-pools value SSLClientPool
webvpn
anyconnect profiles value VPNTest type user
always-on-vpn profile-setting
group-policy scep internal
group-policy scep attributes
wins-server none
dns-server value 192.168.1.2
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-network-list value scep
default-domain value vpntest.vrnet
scep-forwarding-url value http://192.168.1.2:80
webvpn
anyconnect profiles value sceptest type user
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value vpntest.vrnet
group-policy certauth internal
group-policy certauth attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol ssl-client
split-tunnel-network-list value split
default-domain value vpntest.vrnet
address-pools value SSLClientPool
webvpn
anyconnect profiles value sceptest type user
username Admin password <removed>
username vpnuser2 password <removed>
username vpnuser2 attributes
service-type admin
webvpn
anyconnect profiles value sceptest type user
username vpnuser3 password <removed>
username vpnuser1 password <removed>
username vpnuser1 attributes
service-type remote-access
username root password <removed> privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool SSLClientPool
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
authentication certificate
group-alias SSLVPNClient enable
tunnel-group certauth type remote-access
tunnel-group certauth general-attributes
address-pool SSLClientPool
default-group-policy certauth
tunnel-group certauth webvpn-attributes
authentication certificate
group-alias certauth enable
tunnel-group scep type remote-access
tunnel-group scep general-attributes
address-pool (inside) SSLClientPool
address-pool SSLClientPool
default-group-policy scep
scep-enrollment enable
tunnel-group scep webvpn-attributes
authentication aaa certificate
group-alias scep enable
If it is helpful, here is the XML-file:
<?xml version="1.0" encoding="UTF-8" ?>
- <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
- <ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
- <AutoReconnect UserControllable="false">
true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
- <PPPExclusion UserControllable="false">
Disable
<PPPExclusionServerIP UserControllable="false" />
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
- <CertificateMatch>
- <DistinguishedName>
- <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>ciscoca.xxxx.xx</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
- <CertificateEnrollment>
<CertificateExpirationThreshold>10</CertificateExpirationThreshold>
<AutomaticSCEPHost>AnyConnect.xxxx.xx/scep</AutomaticSCEPHost>
<CAURL PromptForChallengePW="false">http://192.168.1.2</CAURL>
<CertificateImportStore>All</CertificateImportStore>
- <CertificateSCEP>
<Name_CN>%USER%</Name_CN>
<DisplayGetCertButton>true</DisplayGetCertButton>
</CertificateSCEP>
</CertificateEnrollment>
- <EnableAutomaticServerSelection UserControllable="false">
false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false</RetainVpnOnLogoff>
</ClientInitialization>
- <ServerList>
- <HostEntry>
<HostName>AnyConnect</HostName>
<HostAddress>172.16.1.1</HostAddress>
- <MobileHostEntryInfo>
<NetworkRoaming>true</NetworkRoaming>
<CertificatePolicy>Auto</CertificatePolicy>
<ConnectOnDemand>false</ConnectOnDemand>
<ActivateOnImport>true</ActivateOnImport>
</MobileHostEntryInfo>
</HostEntry>
</ServerList>
</AnyConnectProfile>
I would be very grateful if you have any suggestions that could help me.
